2018 MacBook Pros and imaging

ManageMeNot
New Contributor

So we can no longer use the macOS installer on an external HD with the 2018 MBPs?

I take it the T2 chip prevents this? How do we manage our macOS now? Third party software isn’t going to support the latest macOS right away.

26 REPLIES 26

jlockman
New Contributor II

Just got one of these. If you want to boot to external media, you have to go through setup and create an admin account first, then you can alter the Startup Security Utility settings to allow booting from external media. I made the mistake of wiping my drive and not going through setup first so I didn't have an admin account created and had to use internet recovery.

Once you've gone through setup and created an admin account, boot using command+R to boot into macOS recovery, then when you see the macOS Utilities window, choose Utilities > Startup Security Utility from the menu bar.

It should prompt you for an admin username and password, enter it and you should be able to change it to boot from external media.

More info about Startup Security Utility https://support.apple.com/en-us/HT208198

Update: found this detail in another post - you need an admin account with Secure Token in order to unlock Startup Security Utility. Relevant post here: https://www.jamf.com/jamf-nation/discussions/29093/issues-with-startup-security-utility

al786
New Contributor III

^^ Literally had the same issue and almost "bricked" one until I got it to do internet restore. I usually do ASR restore via AutoDMG image but can't do that anymore. DEP is the only option now.

bwiessner
Contributor II

DEP is not the only way -

https://www.jamf.com/jamf-nation/discussions/28957/imaging-imac-18-2-to-10-13-6

roiegat
Contributor III

It's thrown a wrench in our process as well. More for re-building a Mac...but still a pain.

tjhall
Contributor III

Can you not utilise the erase and install feature in the OS X installer and then create install policy's based on smartgroups once Quickadd has been added and MDM is approved?

alexjdale
Valued Contributor III

I think the biggest issue right now is that we will have to wait until Mojave to have a macOS installer we can use.

I tried to brick one of these on purpose by erasing the drive. Internet Restore is the only option at that point since you can't get to the Secure Boot utility to make changes. It works, but it took me 3 hours and several restarts to get it to complete the download process. As usual, I am not impressed, Apple rolled out something without proper support tools. They didn't even add Secure Boot management to MDM.

tjhall
Contributor III

So what happens if you copy over a local OS X installer and run" /Applications/Install macOS High Sierra.app/Contents/Resources/startosinstall --applicationpath /Applications/Install macOS High Sierra.app --agreetolicense --nointeraction" in Terminal? Does it re-install or is there an error message?

bwiessner
Contributor II

@tjhall the build that is shipped with the new 2018 macs is newer than whats in the App store installer - it won't work.

https://www.jamf.com/jamf-nation/discussions/28957/imaging-imac-18-2-to-10-13-6

alexjdale
Valued Contributor III

@tjhall That should work fine, but I'm concerned about scenarios where the OS isn't bootable or we don't have a Secure Tokenized admin account with a known password. Plus we don't have a standalone app installer with this OS build, I believe? That might not happen until Mojave.

FritzsCorner
Contributor III

@alexjdale

Rich Trouton did a blog post on this a few days ago. I am about to test the bootstrapr & installr workflow outlined in his post.

The T2 Macs, the end of NetBoot and deploying from macOS Recovery

FritzsCorner
Contributor III

@alexjdale

I forgot to mention, as far as getting a High Sierra installer for the new 2018 MacBooks you can use the script outlined in another one of Rich's blog posts. Run this script on one of the new MacBooks and it will come back with all the available OS installers. There should be 2 listed for High Sierra, use the one with the longer build number (I don't recall what it is from memory) but I did this and it worked fine on the new MacBooks for us.

Using installinstallmacos.py to download macOS High Sierra installers

Tribruin
Valued Contributor II

Just a note about using installinstallmacos.py. It appears there is something about the trying to download the the MBP(2018) compatible build of the 10.13.6 that will not work on any other macOS machine. In other words, you have to download the MBP(2018) build on a MBP(2018) machine. If you only have a single MacBook, you may be stuck in a chicken-egg scenario.

upworkadmin
New Contributor

For those who are still using netrestore, how are you guys getting around this?
With the new lineup of mbps, looks like netrestore is dead. When I turn the computer on and do the normal routine of selecting which image to chose from in boot options, none of the images appear. The only thing I see is the Mac HD.

bwiessner
Contributor II

@upworkadmin -

I’ve just been using Jamf pro - target mode imaging from another usb c MacBook Pro and not installing an OS or erasing the drive - just using the OS shipped with the Mac.

thisistomiko
New Contributor

@FritzsCorner

For the 2018 version of 10.13.6 - Build 17G2208
For pre-2018 model version of 10.13.6 - Build 17G65

Also, when you build the 2018 version, build on the 2018 machine - Apple does a hardware verification and wouldn't allow to pull the installer properly on any other model.

tjhall
Contributor III

But using the OS X installer you can set up an automated process since the installer after 10.13.4 supports additional package installs.

Our newly developed workflow for our re-builds is based on this. This entails adding additional packages to be run by the OS X installer (kicked off via script) which installs the Jamf QuickAdd and pre-made admin account (UID 501 so it gets the secure token) and a launch agent which set's off "Splashbudy" on login.

As long as all the required components are in place before, I can rebuild any Mac (as long as it already has 10.13.4) by launching the script which erases and re-installs OS X, creates an admin user, adds Jamf and runs "SplashBuddy" on login. All I need to do is to log in, approve the MDM in profiles and name the Mac via Splashbuddy. The rest of the apps and settings are installed and setup automatically via the Jamf policy's.
It's as close as I can get get to DEP without it being a DEP enabled Mac.

mconners
Valued Contributor

Hello @tjhall and others, I too am running into this but I have been using the workflow that @tjhall has mentioned.

To this point, it is has been a fairly straight forward and painless process and works well. With this new hardware though, is there any way of getting the "combo" update to be added to the install? As it is, we are copying down 10.13.6 to the local drive and letting it run through the installation process. With this, the computer will reboot several times to get firmware updates and so forth and is the preferred method going forward. Using the startosinstall command with the switch, -eraseinstall will wipe the drive, load the OS and start up in default OS mode.

@tjhall what are you doing or seeing with new hardware? Do you have a workaround aside from booting to recovery to wipe the computer?

tjhall
Contributor III

@mconners We cache the latest OS X installer and the required files locally via ongoing policy first.
To re-install we run a script (wrapped up as an app with Platypus) which kicks off the OS X installer and subsequently the required packages.
The important part is to use the -installpackage feature for the OS X installer so the other packages are installed as well and at the same time (admin account, jamf quick add and Splashbuddy launch agent in our case).
It will take some fiddling to get the additional packages to work (edit to add product ID and then flatten) but once it's up and running it's one click to re-install (which wipes and re-installs OS X, adds our admin account and installs JAMF).

carlo_anselmi
Contributor III

@tjhall How do you create the pkg for local admin with your workflow? Is it securetoken enabled?
Many thanks!
Carlo

tjhall
Contributor III

@carlo.anselmi I created it using MacUserGenerator. Just make sure the account isn't hidden (since it won't get a secure token if it is).

blackholemac
Valued Contributor III

Thank you @tjhall for the heads up to MacUserGenerator...I'm going to try it out today. As to the original post, I'm realizing that we are taking our DEP-based workflow full throttle forward as imaging doesn't have a bright future.

Given the 2018 MacBook Pros, you can allow the device to boot from external media. If you are, I would make sure that you have it boot to an installer contained on external media but only once a "roll-up" installer comes around (which may never happen on High Sierra, given how close we are getting to Mojave.) The MacBook Pro 2018 uses a model-specific macOS build for 10.13.6 and much like older Macs, if you try to use any other form of 10.13, it's probably going to not work or if for what ever reason it does, watch the machine act screwy.

tjhall
Contributor III

I haven't verified if the sequence of the remaning packages matters concerning the admin account (the quickadd.pkg will add an additional one and on testing it didn't get a secure token) so I've chosen to install the admin.pkg first (and it's a different admin user just on case).

Below is my combined command that I use to kick off our "OS X rebuild Mac installer".

It should work fine using the new Macbook as well as long as it's got the right OS X installer (use https://github.com/munki/macadmin-scripts/blob/master/installinstallmacos.py to download it) which can be pushed out specifically to 2018 Mac's via smart group policy.

/Applications/Install macOS High Sierra.app/Contents/Resources/startosinstall --eraseinstall --applicationpath /Applications/Install macOS High Sierra.app --converttoapfs YES --installpackage /Library/Application Support/support/admin.pkg --installpackage /Library/Application Support/Suppport/QuickAdd.pkg --installpackage /Library/Application Support/support/SplashBuddy.pkg --nointeraction --agreetolicense

ubcoit
Contributor II

Hi.

I searched around in the forums and while this question isn't directly related to the 2018 MacBook it is related to the startosinstall command used. I can't seem to get our quickadd.pkg to work with the --installpackage command. I cache the package and signed it but the test iMac never reboots.

Here is the command.

/Applications/Install macOS High Sierra.app/Contents/Resources/startosinstall --applicationpath /Applications/Install macOS High Sierra.app --eraseinstall --agreetolicense --nointeraction --pidtosignal $jamfHelperPID --installpackage /Library/Application Support/JAMF/Waiting Room/$4 &

$4 is defined on the script that runs the command in the jss.

I've successfully run this with an office installer as $4 instead of our quickadd.pkg as $4, as in, the system reboots, re-installs MacOS and once I click through the setup wizard Office is already installed.

[STEP 1 of 5]
Executing Policy OKIT - Erase and Install MacOS High Sierra 10.13.6 - admin
[STEP 2 of 5]
Caching package okit-admin-jamf-pro-join-2018-09-07-signed.pkg...
Downloading okit-admin-jamf-pro-join-2018-09-07-signed.pkg...
Downloading https://cpdp01.ucms.it.ubc.ca/cpdp01/Packages/okit-admin-jamf-pro-join-2018-09-07-signed.pkg...
[STEP 3 of 5]
Running script OKIT - Install macOS High Sierra...
Script exit code: 0
Script result: heading='Please wait as we prepare your computer for macOS High Sierra...'
description='

This process will take approximately 5-10 minutes.

Once completed your computer will reboot and begin.'
icon='/Applications/Install macOS High Sierra.app/Contents/Resources/InstallAssistant.icns'
'/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper' -windowType fs -title '' -icon '/Applications/Install macOS High Sierra.app/Contents/Resources/InstallAssistant.icns' -heading 'Please wait as we prepare your computer for macOS High Sierra...' -description '

This process will take approximately 5-10 minutes.

Once completed your computer will reboot and begin.'
+ echo 3630
jamfHelperPID=3630
exit 0
'/Applications/Install macOS High Sierra.app/Contents/Resources/startosinstall' --applicationpath '/Applications/Install macOS High Sierra.app' --eraseinstall --agreetolicense --nointeraction --pidtosignal 3630 --installpackage '/Library/Application Support/JAMF/Waiting Room/okit-admin-jamf-pro-join-2018-09-07-signed.pkg'
[STEP 4 of 5]
[STEP 5 of 5]

Any ideas what I'm missing?
Thank you.

tjhall
Contributor III

@ubcoit You might need to add a product ID to it and then flatten it before it works.
Best way to to check if it will pass is to throw it into "System image utility" app. If it goes in ok there then it will install.

ubcoit
Contributor II

Thanks tjhall. I dropped the generated quickadd.pkg from Recon into System Image Utility and it doesn't like it. I'll look into converting it and/or adding a product ID to it.

ubcoit
Contributor II

tjhall was correct, the quickadd.pkg needs a product ID for it to work. The "System Image Utility" trick is a good tip for testing. Thanks. After digging for awhile it turns out it's not that hard to add a product ID to an existing pkg. Using Terminal here is a quick summary...

For the following commands below, I ran the commands from the same directory that my content was in so paths were not required.

Generate a distribution.xml with the below command:
productbuild --synthesize --package okit-admin-jamf-pro-join-2018-05-07-10.4.0.pkg distribution.xml

Edit the generated distribution.xml and add the below line (edited for your needs, I don't think it really matters what it says here) above the last line </installer-gui-script> in the xml:

<product id="ca.okit.quickadd" version="1.0"/>

Create a new pkg with the distribution.xml:

productbuild --distribution distribution.xml --package-path okit-admin-jamf-pro-join-2018-05-07-10.4.0.pkg okit-admin-jamf-pro-join-2018-05-07-10.4.0-new.pkg

Test in System Image Utility and installing it on a workstation. Also note, signing wasn't required after all, at least for now.